Configuring Client Security on a four-server topology

Applies To: Forefront Client Security

To configure Client Security, you must run the Configuration wizard on the management server, and then perform some manual configurations on the management server and collection server. Finally, you must grant additional permissions to the service accounts.

Configure Client Security on the management server

The Configuration wizard runs automatically when you open the Client Security console for the first time.

To configure Client Security on the management server

1. Using an account that has local administrator privileges on all of the Client Security servers, log on to the management server.

2. Open the Client Security console. (Click Start, point to All Programs, point to Microsoft Forefront, point to Client Security, and then click Microsoft Forefront Client Security Console.)

3. If the Configuration wizard doesn't start automatically, click Configure on the Action menu.

4. On the wizard's Before You Begin page, click Next.

5. On the Collection Server and Database page, do the following:

   1. In the Collection server box, enter the name of the collection server. The default value is not correct for this topology.

   2. In the Collection database box, enter the name of the collection database and the SQL Server instance, if necessary. The default value is not correct for this topology.

   3. In the Management group name box, enter the name of the management group you specified during the Setup wizard, and then click Next.

6. On the Reporting Database page, do the following:

   1. In the Reporting database box, enter the reporting database server and, if necessary, the SQL Server instance. The default value is not correct for this topology.

   2. In the Reporting account box, enter the user name and password for the reporting account, and then click Next.

7. On the Reporting Server page, do the following:

   1. In the Reporting server box, enter the name of the reporting server. The default value is not correct for this topology.

   2. In the URL for Report Server and URL for Report Manager boxes, ensure the default values are entered, and then click Next.

8. On the Verifying Settings and Requirements page, verify your system requirements, and then click Next. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:

   • Configuration log file. (To view, click View Log.) For more information about the configuration log file, see Overview of log files (https://go.microsoft.com/fwlink/?LinkId=82466) in the Client Security Troubleshooting Guide.

   • Setup issues (https://go.microsoft.com/fwlink/?LinkId=82442) in the Client Security Troubleshooting Guide.

9. On the Completing the Configuration Wizard page, verify that you have successfully configured Client Security, and then click Close. If you receive an error, you cannot continue configuring Client Security. If you receive a warning or error, see the following resources for more information:

   • Configuration log file. (To view, click View Log.) For more information about the configuration log file, see Overview of log files (https://go.microsoft.com/fwlink/?LinkId=82466) in the Client Security Troubleshooting Guide.

   • Setup issues (https://go.microsoft.com/fwlink/?LinkId=82442) in the Client Security Troubleshooting Guide.

Point MOM administrator and operator consoles to collection server

By default, the MOM consoles on the management server look for the collection server on the local host. In this topology, they must be pointed to the collection server.

To point the MOM consoles to the collection server

1. On the management server, open the MOM administrator or operator console.

2. When the MOM dialog box appears, enter the name of the collection server in the Name box, and then click OK.

3. Close the MOM console.

Grant the correct permissions for the user account

The user account you use to work with Client Security on the management server must have the correct permissions on the collection server.

To grant the correct permissions for the user account

• Do one of the following:

  • Make sure that the user account you use to work with Client Security on the management server has local administrator privileges on the collection server.

  • On the collection server, add the user account you use for the management server to these groups: MOM Users and Distributed COM.

Grant the correct permissions for the service accounts

Before using Client Security, you must grant additional permissions to the service accounts.

To grant the correct permissions for the service accounts

1. On the collection server, add the action account to the Administrators group.

2. Grant the reporting account db_owner permissions on the SystemCenterReporting database on the reporting server.

3. If you used different accounts for the DAS account and the action account, grant the action account db_owner permissions on the OnePoint database on the collection server.

4. If you used different accounts for the DAS account and the reporting account, grant the reporting account db_owner permissions on the OnePoint database on the collection server.

5. If the collection server is installed on Windows Server 2008, and User Account Control (UAC) is enabled on that server, you must manually add the DAS account to the MOM Administrators local group.

To grant permissions to SQL Server databases

1. On the server with the appropriate database (OnePoint or SystemCenterReporting), start SQL Server Management Studio.

2. In the console tree, expand Security.

3. Right-click Logins, and then click New Login on the shortcut menu.

4. In the Login dialog box, type the appropriate service account (domain\username) in the Login name box.

5. Under Select a page, click User Mapping, and then in the Map column, select the check box for the appropriate database.

6. In the Database role membership box, select the db_owner check box, and then click OK.